// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium


// This file was autogenerated by go-to-protobuf. Do not edit it manually!

syntax = "proto2";

package github.com.cilium.cilium.pkg.k8s.slim.k8s.api.networking.v1;

import "github.com/cilium/cilium/pkg/k8s/slim/k8s/api/core/v1/generated.proto";
import "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1/generated.proto";
import "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";

// Package-wide variables from generator "generated".
option go_package = "github.com/cilium/cilium/pkg/k8s/slim/k8s/api/networking/v1";

// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
// that should not be included within this rule.
message IPBlock {
  // cidr is a string representing the IPBlock
  // Valid examples are "192.168.1.0/24" or "2001:db8::/64"
  optional string cidr = 1;

  // except is a slice of CIDRs that should not be included within an IPBlock
  // Valid examples are "192.168.1.0/24" or "2001:db8::/64"
  // Except values will be rejected if they are outside the cidr range
  // +optional
  repeated string except = 2;
}

// NetworkPolicy describes what network traffic is allowed for a set of Pods
message NetworkPolicy {
  // Standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
  optional github.com.cilium.cilium.pkg.k8s.slim.k8s.apis.meta.v1.ObjectMeta metadata = 1;

  // spec represents the specification of the desired behavior for this NetworkPolicy.
  // +optional
  optional NetworkPolicySpec spec = 2;
}

// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
// This type is beta-level in 1.8
message NetworkPolicyEgressRule {
  // ports is a list of destination ports for outgoing traffic.
  // Each item in this list is combined using a logical OR. If this field is
  // empty or missing, this rule matches all ports (traffic not restricted by port).
  // If this field is present and contains at least one item, then this rule allows
  // traffic only if the traffic matches at least one port in the list.
  // +optional
  repeated NetworkPolicyPort ports = 1;

  // to is a list of destinations for outgoing traffic of pods selected for this rule.
  // Items in this list are combined using a logical OR operation. If this field is
  // empty or missing, this rule matches all destinations (traffic not restricted by
  // destination). If this field is present and contains at least one item, this rule
  // allows traffic only if the traffic matches at least one item in the to list.
  // +optional
  repeated NetworkPolicyPeer to = 2;
}

// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
message NetworkPolicyIngressRule {
  // ports is a list of ports which should be made accessible on the pods selected for
  // this rule. Each item in this list is combined using a logical OR. If this field is
  // empty or missing, this rule matches all ports (traffic not restricted by port).
  // If this field is present and contains at least one item, then this rule allows
  // traffic only if the traffic matches at least one port in the list.
  // +optional
  repeated NetworkPolicyPort ports = 1;

  // from is a list of sources which should be able to access the pods selected for this rule.
  // Items in this list are combined using a logical OR operation. If this field is
  // empty or missing, this rule matches all sources (traffic not restricted by
  // source). If this field is present and contains at least one item, this rule
  // allows traffic only if the traffic matches at least one item in the from list.
  // +optional
  repeated NetworkPolicyPeer from = 2;
}

// NetworkPolicyList is a list of NetworkPolicy objects.
message NetworkPolicyList {
  // Standard list metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
  optional github.com.cilium.cilium.pkg.k8s.slim.k8s.apis.meta.v1.ListMeta metadata = 1;

  // items is a list of schema objects.
  repeated NetworkPolicy items = 2;
}

// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
// fields are allowed
message NetworkPolicyPeer {
  // podSelector is a label selector which selects pods. This field follows standard label
  // selector semantics; if present but empty, it selects all pods.
  //
  // If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
  // the pods matching podSelector in the Namespaces selected by NamespaceSelector.
  // Otherwise it selects the pods matching podSelector in the policy's own namespace.
  // +optional
  optional github.com.cilium.cilium.pkg.k8s.slim.k8s.apis.meta.v1.LabelSelector podSelector = 1;

  // namespaceSelector selects namespaces using cluster-scoped labels. This field follows
  // standard label selector semantics; if present but empty, it selects all namespaces.
  //
  // If podSelector is also set, then the NetworkPolicyPeer as a whole selects
  // the pods matching podSelector in the namespaces selected by namespaceSelector.
  // Otherwise it selects all pods in the namespaces selected by namespaceSelector.
  // +optional
  optional github.com.cilium.cilium.pkg.k8s.slim.k8s.apis.meta.v1.LabelSelector namespaceSelector = 2;

  // ipBlock defines policy on a particular IPBlock. If this field is set then
  // neither of the other fields can be.
  // +optional
  optional IPBlock ipBlock = 3;
}

// NetworkPolicyPort describes a port to allow traffic on
message NetworkPolicyPort {
  // protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
  // If not specified, this field defaults to TCP.
  // +optional
  optional string protocol = 1;

  // port represents the port on the given protocol. This can either be a numerical or named
  // port on a pod. If this field is not provided, this matches all port names and
  // numbers.
  // If present, only traffic on the specified protocol AND port will be matched.
  // +optional
  optional github.com.cilium.cilium.pkg.k8s.slim.k8s.apis.util.intstr.IntOrString port = 2;

  // endPort indicates that the range of ports from port to endPort if set, inclusive,
  // should be allowed by the policy. This field cannot be defined if the port field
  // is not defined or if the port field is defined as a named (string) port.
  // The endPort must be equal or greater than port.
  // +optional
  optional int32 endPort = 3;
}

// NetworkPolicySpec provides the specification of a NetworkPolicy
message NetworkPolicySpec {
  // podSelector selects the pods to which this NetworkPolicy object applies.
  // The array of ingress rules is applied to any pods selected by this field.
  // Multiple network policies can select the same set of pods. In this case,
  // the ingress rules for each are combined additively.
  // This field is NOT optional and follows standard label selector semantics.
  // An empty podSelector matches all pods in this namespace.
  optional github.com.cilium.cilium.pkg.k8s.slim.k8s.apis.meta.v1.LabelSelector podSelector = 1;

  // ingress is a list of ingress rules to be applied to the selected pods.
  // Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
  // (and cluster policy otherwise allows the traffic), OR if the traffic source is
  // the pod's local node, OR if the traffic matches at least one ingress rule
  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
  // this field is empty then this NetworkPolicy does not allow any traffic (and serves
  // solely to ensure that the pods it selects are isolated by default)
  // +optional
  repeated NetworkPolicyIngressRule ingress = 2;

  // egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
  // is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
  // otherwise allows the traffic), OR if the traffic matches at least one egress rule
  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
  // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
  // solely to ensure that the pods it selects are isolated by default).
  // This field is beta-level in 1.8
  // +optional
  repeated NetworkPolicyEgressRule egress = 3;

  // policyTypes is a list of rule types that the NetworkPolicy relates to.
  // Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
  // If this field is not specified, it will default based on the existence of ingress or egress rules;
  // policies that contain an egress section are assumed to affect egress, and all policies
  // (whether or not they contain an ingress section) are assumed to affect ingress.
  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
  // Likewise, if you want to write a policy that specifies that no egress is allowed,
  // you must specify a policyTypes value that include "Egress" (since such a policy would not include
  // an egress section and would otherwise default to just [ "Ingress" ]).
  // This field is beta-level in 1.8
  // +optional
  repeated string policyTypes = 4;
}

